mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-02 11:45:20 +02:00
Garry Tan
407c36b48a
Two separate adversarial findings, one fix each:
1. Canary stream-chunk split bypass. detectCanaryLeak ran .includes()
per-delta on text_delta / input_json_delta events. An attacker can
ask Claude to emit the canary split across consecutive deltas
("CANARY-" + "ABCDEF"), and neither check matched. Add a DeltaBuffer
holding the last (canary.length-1) chars; concat tail + chunk, check,
then trim. Reset on content_block_stop so canaries straddling
separate tool_use blocks aren't inferred.
2. Transcript classifier tool_output context. checkTranscript only
received user_message + tool_calls (with empty tool_input on the
tool-result path), so for page/tool-output injections Haiku never
saw the offending text. Only testsavant_content got a signal, and
2-of-N degraded it to WARN. Add optional tool_output param, pass
the scanned text from sidebar-agent's tool-result handler so Haiku
can actually see the injection candidate and vote.
Both found by claude adversarial + codex adversarial agreeing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>